Devnull, DDos, COD4. Possible uh... fix.

Hi,

Before some of you start rambling on about how I don’t know that I’m talking about, which may possibly be the case, please hear me out. This information may be old, or new.

I, together with a friend, Matt, used to run an Australian Garry’s Mod community named PubGamer, whom was popular throughout the last couple of years in Half Life 2 Roleplay, Dark Roleplay, TTT, as well PERP. Whilst running namely PERP, we were the victim of devnulls, day in, day out, hour after hour. After countless days researching on the issue, we found a program called Peerblock. What Peerblock effectively does is block IP’s you tell it to block. Maybe the attacks on our server weren’t as large as others, but we were still being hit with 30 thousand IP’s simultaneously, with a total of 100 thousand being blocked ultimately.

Once blocking these IP’s, which were indeed carrying COD4 data, the affect of the attack would happen for about 20-30 seconds, which was because Peerblock found it hard to block 30 thousand IP’s all at once so it had to take a breather, then the overall affect of the attack would disappear. The packets were still being sent, they were just being blocked at a software level.

Here’s all of our peerblock lists which contain, I believe, most of the offending IP’s. Close to 100 thousand all up.

http://www.mediafire.com/?17xaisst549svks

The only attack in which this did not withstand was a 15gb/s attack on Boxing day of 2010, which crashed Optus Queensland in Australia for 25 minutes.

I hope this information is useful to you all.

Anyone else tested this before?

The amount of bandwidth devnull puts out is greater than the pipe that feeds into your server. Which means that any firewall measures that you have in place on your server won’t matter, as the network itself is being flooded.

Analogy:

You have a store, when two or three customers go through the door, it’s fine. If a million try to get through, no one who really wants to be there can get in the door to get to the counter, if you tell the guy at the counter to refuse service for ‘those people’, it doesn’t matter, your door is still blocked.

And you could just query the master servers of the cods, quakes and source servers for the IPs to block, would be much more up to date. You’ll need to get your upstream providers to block the IPs for you though.

I’d say let’s just let the investigation continue in this thread. Hopefully it won’t get shitposted to death by some dumbass again.

Again, best way to stop this would be through reporting PayPal accounts, as they have bank accounts tied to them and such. If we stop CoD4, he can still use any number of other games, and we’ll just have wasted our time.

wouldnt the line still get flooded even if you blocked it with software?

I dunno, the cod4 drdos I’ve been hit with this month havn’t saturated my line or even lagged RDP much, it’s just the srcds application really hates unwanted parties.

Something needs to be implemented into srcds to ignore stupid packets.

yep.
If the DrDoS is not big enough to saturate your connection then a firewall helps because the game server has to receive, process, and respond to all those requests. So in that instance the firewall can help the game server out by blocking connections so the game server never has to know about them.
However, if the server as a whole is maxed out on it’s connection then there is nothing you can do.

There’s a program now that is specialized for DDoS’ing gmod servers?

um ok wow

Not specific to GMod servers; the method works for everything… Facepunch has been hit by it a few times. It’s targetted to GMod players; pain in the arse.

Took me a while to figure out how to reduce the effects of it even with a gig line…

In my opinion there is already DNS Amp implemented in DevNull because when I got DDoSed, I was hit from root-servers.net, and cod4 servers alongside Source Engine Query spam exploits.

There is, and it hits 1-5mbit/s per DNS server. I ended up getting some complaints from DNS hosts once.

Sorry to break it to you buddy but it does work.

Only if your pipe speed is 0.8x the size of the attack, or higher.

Programs actually rather handy :slight_smile:

Doesn’t help much when the attacks are large, but it does let you see what type of gameservers are hitting you. Counter strike, quake, multiple cod games. Lots and lots of terrible fun :frowning:

Why dont we aquire the program, decompile it and have some fun with by telling it to devnull some of the servers devnull client talks with or somthing?

I believe the devnull tells for example the cod4 server list to send all the packets to the IP of the target so If you devnull the servers involved it would just mean you are ddosing a random person’s server

Funfact: Our server was just attacked, dos attack was mitigrated within 10 seconds, devnull has nothing against Hetzner :v:

How big was the attack?